Electronic Pickpocketing

Scam: Card-skimming thieves can make fraudulent purchases with information read from RFID-enabled credit cards carried in pockets and purses.

MIXTURE

Examples:

[Collected via e-mail, December 2010]

Just received an email concerning "Credit Card Pickpocketing".

It was broadcast from Memphis WREG TV.
[Collected via e-mail, October 2012]

PLEASE WATCH THIS VIDEO

I read this about a couple weeks ago, and then checked my cards for the little "WiFi Signal Icon" on each one. I found none w/that signal on them, but I was determined to watch for it when my cards came in on renewals. Well, yesterday I got my CHASE SLATE card AND THERE IT WAS! My first time to see it. I'll not activate that card after seeing this. I guess I'll go to the bank and see if I can replace it w/a non wi fi (Radio Frequency Card)....?

Thought all my contacts ought to see this if you've not already seen this demo....wow!

Origins: In December 2010, Memphis television station WREG aired an "Electronic Pickpocketing" piece on the potential risks posed by "contactless" credit/debit/ATM cards containing embedded RFID (radio frequency identification technology) chips. Such chips encode basic information (e.g., account numbers, expiration dates) that can be picked up by point-of-sale RFID readers, eliminating the need for cards to be physically handled or swiped. One possible drawback to this technology is unauthorized persons might use RFID readers of their own to surreptitiously glean that same information, as demonstrated in WREG's report, which featured Walt Augustinowicz of Identity Stronghold using a card reader and a netbook computer to engage in card "skimming" — picking up account information off RFID-enabled cards carried in the pockets and purses of random passers-by on the street. A few days after it broadcast the original "Electronic Pickpocketing" story, WREG reported the piece had gone
viral, racking up 1.2 million views in just three days.

Despite all the publicity WREG's report garnered, the concept of RFID-enabled credit card theft was hardly a new one. Various news, technical, and security

outlets have been reporting (and demonstrating) for several years the potential risk that information transmitted wirelessly by RFID-enabled cards might be picked up by eavesdropping thieves using relatively cheap equipment. But although (as demonstrated in WREG's piece) it's certainly possible for interlopers to read pieces of information from some contactless cards under some circumstances, the extent to which this activity might be used to facilitate theft is currently difficult to gauge.

As the WREG report noted, representatives from the Identity Theft Resource Center said "they've never seen a case of RFID skimming used to steal information," but it's also the case that it would be difficult (if not impossible) for skimming victims to identify exactly how their card information had been stolen. Nonetheless, other analysts have offered reasons why they believe card skimming may not be nearly as much of a threat as some reports have made it sound:

The data streams emitted by contactless cards don't include such information as PINs and CVV (Card Verification Value) security codes — or, in newer cards, customer names — and without those pieces of information a card skimmer should not be able to utilize the stolen card numbers to print up counterfeit cards or engage in Card Not Present (CNP) transactions:

None of the cards transmits the additional number on the front or back, known as the card validation code, that some businesses require for online purchases.

[C]ompany representatives argued [that] the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification "token," or a small bit of code, that is encrypted before being sent.

"It's basically useless information," said David Bonalle, vice president and general manager for advanced payments at American Express. "You can't steal that data and just play it back and expect that transaction to work."

However, some merchants are not assiduous about requiring extra levels of security information from their customers beyond credit card number and expiration date, and security providers contend that card skimmers can still find plenty of places to make purchases with nothing more than 16-digit account numbers and expiration dates.

Although some contactless cards can be read from as far as a few feet away, refinements to the RFID technology employed in newer cards limits their transmission range to a much smaller distance.

Although RFID-enabled cards may have originally transmitted their information in plain text, newer contactless cards are adding encryption to the data streams and thus cannot be read directly by ordinary card readers. (Encryption requires additional processing time, however, so businesses that place a premium on speed may still eschew its use in their card processing systems.)

Card skimming generally works when the victim is carrying only a single contactless card; otherwise, the transmissions from multiple cards can create a jumbled, unintelligible stream.

It remains the case that cardholders are not liable for the fraudulent use of their credit card information, but consumers who are extra cautious have the option of investing in secure sleeves that shield the RFID signals transmitted by their cards from electronic eavesdroppers.